Memes and Musings of an IT Engineer Turned to Management

Archive for April 22nd, 2012

I’ve seen article after article decreeing that “passwords are dead”. Reasons range from the mathematical reality that any string of characters, no matter how random, can be brute-force cracked with enough computing power, to the pragmatic arguments that people are stupid and will pick obvious choices, re-use them frequently, and often write them down in plain sight.

There is no denying the math, but until biometrics and multi-factor authentication become more prevalent, alphanumeric passwords are here to stay no matter how deceased they may actually be. But mathematics aside, it is the human aspect that is the far greater threat to password security.

Luckily, tools such as KeePass – which provide a central database in which to store totally random complex passwords – can be used to offset the exploitabilities of the human element. The database is strongly encrypted (optionally multi-factored), and every resource can have its own unique, randomly-generated, complex password. Best of all, the cut & paste process means there isn’t ever a need for the user to even know what the password may be. Simply let KeePass generate something for the account, and blindly paste the copied value when you need to use it.

But if you are a heavy KeePass user, you probably keep the application open at all times. This is the equivalent of putting all your passwords on a PostIt note affixed to your monitor. If you stepped away from the workstation without locking it, someone could read all your password entries or even use SaveAs to make their own cracked copy of the entire set.

For this reason, unless you live and work alone, I strongly recommend that a workspace-lock be enabled on your KeePass installation. KeePass has a number of workspace-locking options, but none of them are enabled by default. You can lock after a certain amount of KeePass inactivity, workstation inactivity, whenever the app is minimized, when suspend mode kicks in, or when the (Windows) system auto-locks via screensaver.

A locked workspace requires you to reconfirm your pass phrase and/or key file before KeePass can be accessed again. It’s a bit faster than exiting & restarting the app each time – though that is in fact one of the lock options. But some measure of workspace lock is worth the slight inconvenience. Pick one and use it. You’ll be safer for it.